[arch-general] gnupg 2.1 not stable

Wed Dec 17 19:19:09 UTC 2014

On Wed, Dec 17, 2014 at 1:46 PM, "P. A. López-Valencia"
<vorbote at outlook.com> wrote:
>
> On 17/12/14 13:04, Ido Rosen wrote:
>>
>> Did you read the rest of that paragraph? You disregarded my points as a
>> red herring, then made a straw man argument that we should donate instead of
>> downgrading (and leave Arch users vulnerable). In the same paragraph, you
>> quote Arch policy which agrees with the downgrade... I guess you are just
>> trolling. Happy holidays, either way. :-)
>
>
> I did read the rest of the paragraph but considered it not relevant to the
> discussion. The donation was not a strawman argument but rather a statement
> of fact about the actual situation with the gnupg.org project and its higher
> relevance to your concerns about security of the software. I did use the
> opportunity to try and have the discussion go outside the box and not focus
> completely on your arguments, which as presented might cause panic in some
> users. I do understand your concerns about stability but, honestly, using
> Arch is a guarantee to be bitten sooner or later.

Your comment about stability in Arch is yet another straw man.  I'm
concerned about continuity and security against distribution channel
being hijacked: Arch has no continuity if it can't reliably verify the
authenticity of its distribution channel (i.e. if database and package
signatures stop working properly, or someone compromised them).  If it
were any other piece of Arch, like libc or even the kernel, I wouldn't
care as much, but this is the piece of Arch that is responsible for
telling an Arch user that he is really getting Arch and not some
backdoored malicious lookalike.

The correct response is indeed for users to panic and demand that Arch
devs be more responsible about reading release notes before upgrading
such important core components of the system.

> Also, I agree that gnupg would have been better kept at 2.0.x for sometime
> and have 2.1.x in community or AUR even for at least 2 or 3 point releases.
> But considering the changes in keyring management and the higher security
> (like disabling all pgp keys with md5 hashes), I can live with the changes.
> Those same changes make downgrading a painful process.

As for downgrading being painful:  I just downgraded that way and it
was painless (and pacman, all pacman keys, keyring, etc. still work
for me).

> Addressing your observations in the follow up message to the one I'm
> responding to, notice that nowhere in the release message says that you must
> not use gpg "modern", only that gpg "stable" is what most users use and
> perhaps the one with less bugs. As Arch uses current software in most cases,
> we the users are QA testers for more upstream projects that we can believe,
> so I wasn't surprised by the move to gnupg, but see above.

This is what the 2.1.1 point release says, verbatim:
"""
- GnuPG "modern" (2.1) is the latest development with a lot of new
  features.  This announcement is about the first release of this
  version.

- GnuPG "stable" (2.0) is the current stable version for general use.
  This is what most users are currently using.
"""

So, it does directly imply that you should not use gpg "modern" (not
stable) yet for general use, as opposed to development.  It goes as
far as calling "modern" a development release, and to draw the
distinction between it and the "stable" release.  It also implies that
"modern" is not yet suited for general use, by saying that "stable" is
for general use.    Whether or not we parse these words verbatim or
add some interpretation, the meaning is clear: 2.0 is for general use
and is stable, 2.1.1 is not stable and is a development release.